This invention relates to the security of data stored in internal network elements that provide the data to outside network users and, in particular, to the utilization of a common storage element where certain data is written and read by the internal and external elements in order to prevent unauthorized external users from accessing the internal network.
With the increase in network-based services and transactions, such as purchases, bank account transfers, and various other transactions that require transmission of sensitive personal data, there has been a corresponding increase in the amount of sensitive information that is stored by internal network databases or other storage elements that are accessible via a network, such as the Internet and any other type of external network. Many of the internal network storage elements are connected to an internal network via the same protocol used throughout various external networks and by users of the networks, namely Internet Protocol (IP), which is a protocol that requires each physical network interface to have one or more addresses, called IP addresses. As such, communication between two IP network elements involves specification of a source and a destination address. The addresses are carried in the data packets that are transmitted between the network elements, and a login session is initiated between the addressees to transmit the data.
Because many internal and external network elements are in communication with internal and external networks via IP protocol, there is an increasing concern that the sensitive personal information stored by internal network storage elements that is accessible via IP networks is not completely secure. For example, unauthorized users have been able to access internal network-based merchant databases and steal the customer credit card numbers stored therein. Unauthorized users are able to steal the sensitive information due, in part, to the fact that IP is designed to be open and accessible to all Internet users, which facilitates utilization of the Internet and the systems connected to the Internet, but results in a lack of security mechanisms. Thus, it is very difficult to secure internal databases or other storage elements when they have an IP connection to internal networks.
The conventional manner in which network designers add security for the internal network elements, such as servers, databases, and other systems containing sensitive information, is to add layers of security on top of IP. The typical approach is to place firewalls between an internal network and the external network to protect the internal network elements from being freely accessible from the external network. A firewall is a computer system or a group of computer systems that implements filtering, monitoring and logging of sessions between the networks because all information passing between the networks must pass through the firewall. Firewalls may be implemented in applications or in hardware units, such as routers or servers. One type of firewall is a screening router that examines and discriminates network traffic based upon the IP packet addresses and/or other criteria, such as type of protocol and authentication, which allows communication managers to build “profiles” of users who are allowed access to different applications. Another type of firewall is a proxy server, which is implemented as a workstation on a server and looks at all of the data in each packet and, in most cases, replaces the address with proxy destinations that are known to be secure. While proxy servers provide security by hiding the internal network from the outside world, they can significantly degrade the performance of the network, especially in high traffic areas, because of the overhead involved in inspecting all of the data in each packet. In addition, firewalls cannot prevent all attacks to an internal network from an external network because an unauthorized user who knows or guesses how the internal network is configured can trick the firewall and/or the internal network elements into believing the unauthorized user is an authorized user of the internal network.
Unauthorized users take advantage of the inherently non-secure nature of IP and the options included in IP to facilitate network operations in order to gain access to the internal network and/or the data transmitted through the internal network. IP provides, for example, source routing that helps with network debugging and allows a user to coerce data packets along a given route, and Internet Control Management Protocol (ICMP) redirect that helps data packets find their destination in the event of an incorrect network configuration. Each of these techniques allow modification of a computer system's routing table, which enable unauthorized users to add their computers in the computer system's route for data packets. In addition, unauthorized users are able to pretend to be another computer by “borrowing” the other computer's IP address, which is commonly called address spoofing. If the borrowed IP address is the address of an internal network element, the unauthorized user can send data packets to the internal network from the Internet because the firewall and other internal network elements believe the data is coming from an authorized user. Once unauthorized users are inside the internal network, they may use various techniques to establish connections with internal storage elements or main/root elements, from which they can obtain information or assume control of the internal computer system.
Placing another firewall or filtering system behind the firewall at the perimeter of the internal network may enable detection of unauthorized users of the internal network, but this configuration still does not prevent the unauthorized user from accessing the internal network elements. One manner in which network administrators attempt to identify unauthorized users of internal networks is to set up a false internal network with access to the outside network(s) that attracts unauthorized users and tracks them. These configurations, however, also do not provide complete security for an internal network because they do not prevent unauthorized users from accessing the real internal network.
Thus, there is a need in the industry to secure internal networks from attacks by unauthorized users. In particular, there is a need to not only detect unauthorized users of an internal network, but also prevent unauthorized users from accessing the internal network storage elements, without creating network performance degradation and without adding significant cost.